diff options
| author | Markus Heiser <markus.heiser@darmarit.de> | 2024-01-31 08:52:07 +0100 |
|---|---|---|
| committer | Markus Heiser <markus.heiser@darmarIT.de> | 2024-01-31 17:23:41 +0100 |
| commit | ab8e5383fb6021afd690060c7b718dc505e7d30c (patch) | |
| tree | 8b6a7720c55aee96fa0c12d20c0047bb2bcb9072 /docs | |
| parent | dca78f920f5c3c3804eb1463bb095af9dae43aa1 (diff) | |
| download | searxng-ab8e5383fb6021afd690060c7b718dc505e7d30c.tar.gz searxng-ab8e5383fb6021afd690060c7b718dc505e7d30c.zip | |
[mod] remove X-XSS-Protection headers
Deprecated header not used by browsers nowadays[1]:
"""In modern browsers, X-XSS-Protection has been deprecated in favor of the
Content-Security-Policy to disable the use of inline JavaScript. Its use can
introduce XSS vulnerabilities in otherwise safe websites. This should not be
used unless you need to support older web browsers that don’t yet support CSP.
It is thus recommended to set the header as X-XSS-Protection: 0."""[2]
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
[2] https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
Closes: https://github.com/searxng/searxng/issues/3171
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/admin/settings/settings_server.rst | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/docs/admin/settings/settings_server.rst b/docs/admin/settings/settings_server.rst index b1b3a14f7..daba6d1dd 100644 --- a/docs/admin/settings/settings_server.rst +++ b/docs/admin/settings/settings_server.rst @@ -16,7 +16,6 @@ image_proxy: false default_http_headers: X-Content-Type-Options : nosniff - X-XSS-Protection : 1; mode=block X-Download-Options : noopen X-Robots-Tag : noindex, nofollow Referrer-Policy : no-referrer |